linux/security/landlock/object.h

/* SPDX-License-Identifier: GPL-2.0-only */
/*
 * Landlock LSM - Object management
 *
 * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
 * Copyright © 2018-2020 ANSSI
 */

#ifndef _SECURITY_LANDLOCK_OBJECT_H
#define _SECURITY_LANDLOCK_OBJECT_H

#include <linux/compiler_types.h>
#include <linux/refcount.h>
#include <linux/spinlock.h>

struct landlock_object;

/**
 * struct landlock_object_underops - Operations on an underlying object
 */
struct landlock_object_underops {
	/**
	 * @release: Releases the underlying object (e.g. iput() for an inode).
	 */
	void (*release)(struct landlock_object *const object)
		__releases(object->lock);
};

/**
 * struct landlock_object - Security blob tied to a kernel object
 *
 * The goal of this structure is to enable to tie a set of ephemeral access
 * rights (pertaining to different domains) to a kernel object (e.g an inode)
 * in a safe way.  This implies to handle concurrent use and modification.
 *
 * The lifetime of a &struct landlock_object depends on the rules referring to
 * it.
 */
struct landlock_object {
	/**
	 * @usage: This counter is used to tie an object to the rules matching
	 * it or to keep it alive while adding a new rule.  If this counter
	 * reaches zero, this struct must not be modified, but this counter can
	 * still be read from within an RCU read-side critical section.  When
	 * adding a new rule to an object with a usage counter of zero, we must
	 * wait until the pointer to this object is set to NULL (or recycled).
	 */
	refcount_t usage;
	/**
	 * @lock: Protects against concurrent modifications.  This lock must be
	 * held from the time @usage drops to zero until any weak references
	 * from @underobj to this object have been cleaned up.
	 *
	 * Lock ordering: inode->i_lock nests inside this.
	 */
	spinlock_t lock;
	/**
	 * @underobj: Used when cleaning up an object and to mark an object as
	 * tied to its underlying kernel structure.  This pointer is protected
	 * by @lock.  Cf. landlock_release_inodes() and release_inode().
	 */
	void *underobj;
	union {
		/**
		 * @rcu_free: Enables lockless use of @usage, @lock and
		 * @underobj from within an RCU read-side critical section.
		 * @rcu_free and @underops are only used by
		 * landlock_put_object().
		 */
		struct rcu_head rcu_free;
		/**
		 * @underops: Enables landlock_put_object() to release the
		 * underlying object (e.g. inode).
		 */
		const struct landlock_object_underops *underops;
	};
};

struct landlock_object *
landlock_create_object(const struct landlock_object_underops *const underops,
		       void *const underobj);

void landlock_put_object(struct landlock_object *const object);

static inline void landlock_get_object(struct landlock_object *const object)
{
	if (object)
		refcount_inc(&object->usage);
}

#endif /* _SECURITY_LANDLOCK_OBJECT_H */
landlock: Add object management A Landlock object enables to identify a kernel object (e.g. an inode). A Landlock rule is a set of access rights allowed on an object. Rules are grouped in rulesets that may be tied to a set of processes (i.e. subjects) to enforce a scoped access-control (i.e. a domain). Because Landlock's goal is to empower any process (especially unprivileged ones) to sandbox themselves, we cannot rely on a system-wide object identification such as file extended attributes. Indeed, we need innocuous, composable and modular access-controls. The main challenge with these constraints is to identify kernel objects while this identification is useful (i.e. when a security policy makes use of this object). But this identification data should be freed once no policy is using it. This ephemeral tagging should not and may not be written in the filesystem. We then need to manage the lifetime of a rule according to the lifetime of its objects. To avoid a global lock, this implementation make use of RCU and counters to safely reference objects. A following commit uses this generic object management for inodes. Cc: James Morris <jmorris@namei.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jann Horn <jannh@google.com> Acked-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210422154123.13086-2-mic@digikod.net Signed-off-by: James Morris <jamorris@linux.microsoft.com> 2021-04-22 18:41:11 +03:00			`/* SPDX-License-Identifier: GPL-2.0-only */`
			`/*`
			`* Landlock LSM - Object management`
			`*`
			`* Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>`
			`* Copyright © 2018-2020 ANSSI`
			`*/`

			`#ifndef _SECURITY_LANDLOCK_OBJECT_H`
			`#define _SECURITY_LANDLOCK_OBJECT_H`

			`#include <linux/compiler_types.h>`
			`#include <linux/refcount.h>`
			`#include <linux/spinlock.h>`

			`struct landlock_object;`

			`/**`
			`* struct landlock_object_underops - Operations on an underlying object`
			`*/`
			`struct landlock_object_underops {`
			`/**`
			`* @release: Releases the underlying object (e.g. iput() for an inode).`
			`*/`
			`void (release)(struct landlock_object const object)`
			`__releases(object->lock);`
			`};`

			`/**`
			`* struct landlock_object - Security blob tied to a kernel object`
			`*`
			`* The goal of this structure is to enable to tie a set of ephemeral access`
			`* rights (pertaining to different domains) to a kernel object (e.g an inode)`
			`* in a safe way. This implies to handle concurrent use and modification.`
			`*`
			`* The lifetime of a &struct landlock_object depends on the rules referring to`
			`* it.`
			`*/`
			`struct landlock_object {`
			`/**`
			`* @usage: This counter is used to tie an object to the rules matching`
			`* it or to keep it alive while adding a new rule. If this counter`
			`* reaches zero, this struct must not be modified, but this counter can`
			`* still be read from within an RCU read-side critical section. When`
			`* adding a new rule to an object with a usage counter of zero, we must`
			`* wait until the pointer to this object is set to NULL (or recycled).`
			`*/`
			`refcount_t usage;`
			`/**`
			`* @lock: Protects against concurrent modifications. This lock must be`
			`* held from the time @usage drops to zero until any weak references`
			`* from @underobj to this object have been cleaned up.`
			`*`
			`* Lock ordering: inode->i_lock nests inside this.`
			`*/`
			`spinlock_t lock;`
			`/**`
			`* @underobj: Used when cleaning up an object and to mark an object as`
			`* tied to its underlying kernel structure. This pointer is protected`
			`* by @lock. Cf. landlock_release_inodes() and release_inode().`
			`*/`
			`void *underobj;`
			`union {`
			`/**`
			`* @rcu_free: Enables lockless use of @usage, @lock and`
			`* @underobj from within an RCU read-side critical section.`
			`* @rcu_free and @underops are only used by`
			`* landlock_put_object().`
			`*/`
			`struct rcu_head rcu_free;`
			`/**`
			`* @underops: Enables landlock_put_object() to release the`
			`* underlying object (e.g. inode).`
			`*/`
			`const struct landlock_object_underops *underops;`
			`};`
			`};`

landlock: Format with clang-format Let's follow a consistent and documented coding style. Everything may not be to our liking but it is better than tacit knowledge. Moreover, this will help maintain style consistency between different developers. This contains only whitespace changes. Automatically formatted with: clang-format-14 -i security/landlock/*.[ch] include/uapi/linux/landlock.h Link: https://lore.kernel.org/r/20220506160513.523257-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net> 2022-05-06 19:05:08 +03:00			`struct landlock_object *`
			`landlock_create_object(const struct landlock_object_underops *const underops,`
			`void *const underobj);`
landlock: Add object management A Landlock object enables to identify a kernel object (e.g. an inode). A Landlock rule is a set of access rights allowed on an object. Rules are grouped in rulesets that may be tied to a set of processes (i.e. subjects) to enforce a scoped access-control (i.e. a domain). Because Landlock's goal is to empower any process (especially unprivileged ones) to sandbox themselves, we cannot rely on a system-wide object identification such as file extended attributes. Indeed, we need innocuous, composable and modular access-controls. The main challenge with these constraints is to identify kernel objects while this identification is useful (i.e. when a security policy makes use of this object). But this identification data should be freed once no policy is using it. This ephemeral tagging should not and may not be written in the filesystem. We then need to manage the lifetime of a rule according to the lifetime of its objects. To avoid a global lock, this implementation make use of RCU and counters to safely reference objects. A following commit uses this generic object management for inodes. Cc: James Morris <jmorris@namei.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jann Horn <jannh@google.com> Acked-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210422154123.13086-2-mic@digikod.net Signed-off-by: James Morris <jamorris@linux.microsoft.com> 2021-04-22 18:41:11 +03:00
			`void landlock_put_object(struct landlock_object *const object);`

			`static inline void landlock_get_object(struct landlock_object *const object)`
			`{`
			`if (object)`
			`refcount_inc(&object->usage);`
			`}`

			`#endif /* _SECURITY_LANDLOCK_OBJECT_H */`